Authorization Objects and Field Values

An authorization object is what SAP use to assign and enables complez check to determine if the user is allowed to perform certain operations on the system.

An authorization object consists of authorization field and it can group up to 10 authorization fields which are checked with an AND relationship.

The authorization objects are considered as system elements to be protected and relate to data elements stered with the ABAP dictionary.
We can put a single value inside the field or a range of values.
The values are called authorizations and the system perform a check in OR relationship.
You can allow all values or an empty one as a permissible one.
The user needs all the right values to have the access to the determined system operation.

Usually when we talk about transactions assigned to a user we are talking about a check performed by the SAP system on all the authorization objects and authorization fields assigned to the user by roles.

When the user tries to start a transaction from teh menu or directly, the SAP system perform different cheks.
- the first chak is on the TSTC table to to see if the transaction is valid or doesn't exist.
- than the system checks teh authorization object S_TCODE which contains the authorization field TCD (Transaction code). The value inside should be the same as the name of the transaction.
After these cheks the user can access the transaction but in usually additional authorization object are needed to use the transaction.

Other authorization object can be added using the authorization object TSTA, wfich is stored in TSTCA table.
Alternativily could be added at program level the command AUTHORITY-CHECK.

You can use the transaction SU24 to look which authorization object are assigned to a determine transaction

Read More

Authorization concept

The authorization concept in SAP involves the provision of users access using a role-based identity management.
When the user logs into the system, the SAP applicaton authenticates that user by checking the authorization object assigned to that user.
In order to execute a transaction in SAP the user needs to have a series of authorization objects requested for that transaction and pass all the chekc done by the system.
All the authorization object are assigned by a combination of roles or composite roles defined for the specific organizational position the user is hold inside the company.
The roles can be assigned directly or indirectly  with teh composite roles, which are group of roles.

Read More

Introduction

Authorization concept for SAP involves the provisioning of SAP access using a role based identity management.

When a user logs into the SAP application, the system authenticates that user and performs access controls by checking the authorizations object assigned to that user.

All the authorization object are assigned to the user by ROLES created with PFCG.

There are several types of ROLES, single, composite and derived.

SINGLE ROLE -  contains all the authorization data and the log-on menu structure that consist in all the transactions assigned to that role. User assigned to that role will be able to use the menu structure and the transactions.

COMPOSITE ROLE - this kind of roles doesn't contain authorization object. The composite is needed to group related single roles. Users who are assigned to a composite role are automatically assigned to the corresponding sinlge roles that are part of the composite.

DERIVED ROLES - are similar to the sinlge roles and contain the authorization object and menu structure but the organization level are not defined.

This kind of role is suitable when we need to maintain roles that are the same but different each other on the organizational level.

Read More

Transactions - SAP Security

Transaction Code	Purpose
SU01	To create and maintain the users.
SU01D	To Display Users
SU10	For mass maintenance.
SU02	For Manual creation of profiles.
SU03	For Manual creation of authorization.
SU3	For settingAddress and default parameters.
PFCG	For maintainingroleusingprofile generator.
PFUD	For Comparing User master in Dialog.
SUPC	For generation of Mass profile.
SU24	For MaintainingCheckIndicators and for Maintainingtemplates.
SU25	For initialCustomertablefill.
SU20	Lists down the authorizationfields.
SU21	Lists the Object classes and authorizationobjects.
SM01	For locking the transaction from execution.
SM19	Security audit - configuration.
SM20	Security audit - reporting.
SM30	For creation of tableauthorizationgroups and for maintainingassignments to tables
SCCL	For Local Client Copy on samesystembetweendifferent clients.
SCC9	For data exchange over the network and remote client copy between clients in differentsystems.
SCC8	Data exhangehappensatoperatingsystemlevel, itsupports Client transport.
STMS	Transport Management System
RZ10	Profileconfiguration
RZ11	Maintainprofileparameters
SU53	To display last authority checkthatfailed
SU56	Display User buffer
SE84	Information System for SAP R/3 Authorizations
SECR	Audit Information System
SE43	Maintain and display Area Menus
ST01	System Trace
SUGR	Maintain User groups
SUIM	User Information System
SU05	Maintain Internet Users
SMLG	MaintainLogon Group
ST02	Setups/Tune Buffers
SM02	System Messages
SM04	User Overview
SM12	Display and Delete Locks
SM13	Display Update Records
SM21	System Log
SM50	Work ProcessOverview
SM51	List of SAP Servers
SM59	Display/Maintain RFC Destinations
ST11	Display Developer Traces and error log files
ST22	ABAP/4 Runtime Error Analysis
SM35	Batch Input Monitoring
ST05	Performance trace

Read More

Tables - SAP Security

Table	Short text
AGR_1016	Name of the activity group profile
AGR_1016B	Name of the activity group profile
AGR_1250	Authorization data for the activity gr
AGR_1251	Authorization data for the activity gr
AGR_1252	Organizational elements for authorizat
AGR_1253	Authorization Data for Activity Group
AGR_AGRS	Roles in Composite Roles
AGR_AGRS2	Role definition
AGR_ATTS	Role attributes
AGR_BUFFI	Internet Links for a Role
AGR_BUFFI2	Internet links table - Customer versio
AGR_BUFFI3	Internet links table - SAP versions of
AGR_CUSTOM	Role Customizing objects
AGR_DATEU	Personal settings for roles
AGR_DEFINE	Role definition
AGR_FAVOS	Personal settings for PFCG
AGR_FLAGS	Role attributes
AGR_FLAGSB	Role attributes
AGR_HIER	Table for Structure Information for Me
AGR_HIER_BOR	Table for Object-Oriented Navigation (
AGR_HIER2	Menu structure information - Customer
AGR_HIER3	Menu structure information - SAP versi
AGR_HIERT	Role menu texts
AGR_HIERT2	Role menu texts - Customer version of
AGR_HIERT3	Role menu texts - SAP Original
AGR_HPAGE	Role Home Page
AGR_HPAGET	Description of the Home Page for a
AGR_INFO	Filter Values from Generation Run
AGR_LOGSYS	Logical system
AGR_LSD	Role attributes
AGR_MAP_KNUMA	Conversion Table AG_GUID CRM <> KNU
AGR_MAPP	MiniApps in Role
AGR_MARK	Table for report SAPPROFC_NEW
AGR_MEM_INITIAL	Agreements: Buffer for Intial Uploa
AGR_MINI	MiniApps in Role
AGR_MINI2	MiniApps in Role
AGR_MINIT	Role mini-appl texts
AGR_MINIT2	Role mini-application texts
AGR_NUM_2	Internal Counter for Assigning Prof
AGR_NUMBER	Internal Counter for Assigning Prof
AGR_OBJ	Assignment of Menu Nodes to Role
AGR_PROF	Profile name for role
AGR_REL_KNUMA_CM	Assignment: Agreement   > Campaign
AGR_SELECT	Assignment of roles to Tcodes
AGR_TCDTXT	Assignment of roles to Tcodes
AGR_TCODE3	Assignment of roles to Tcodes
AGR_TCODES	Assignment of roles to Tcodes
AGR_TEXTS	File Structure for Hierarchical Menu - Cus
AGR_TIME	Time Stamp for Role (Menu, Profile, Author
AGR_TIMEB	Time Stamp for Role (Profile Generation)
AGR_TIMEC	Time Stamp for Role (User Assignment)
AGR_TIMED	Time Stamp for Role (Profile Comparison, R
AGR_USERS	Assignment of roles to users
AGR_USERT	Assignment of roles to users
TSTCT
TableName	Description
TOBJ	Authorization Objects
TACT	Activitieswhich can be Protected (Standard activitiesauthorizationfields in the system)
TACTZ	Validactivities for eachauthorizationobject
TDDAT	MaintenanceAreas for Tables
TSTC	SAP TransactionCodes
TPGP	ABAP/4 AuthorizationGroups
USOBT	Relation transaction>authorizationobject
USOBX	Checktable for table USOBT
USOBT_C	Relation Transaction   >Auth. Object (Customer)
USOBX_C	CheckTable for Table USOBT_C
User Tables
Table	Description
USR01	User master record (runtime data)
USR02	Logon data
USR03	User address data
USR04	User master authorizations
USR05	User Master Parameter ID
USR06	Additional Data per User
USR07	Object/values of last authorizationcheckthatfailed
USR08	Table for user menu entries
USR09	Entries for usermenus (work areas)
USR10	User master authorizationprofiles
USR11	User Master Texts for Profiles (USR10)
USR12	User master authorizationvalues
USR13	Short Texts for Authorizations
USR14	Surchargeable Language Versions per User
USR30	Additional Information for User Menu
USH02	Changehistory for logon data
USH04	Changehistory for authorizations
USH10	Changehistory for authorizationprofiles
USH12	Changehistory for authorizationvalues
UST04	User masters
UST10C	User master: Composite profiles
UST10S	User master: Single profiles
UST12	User master: Authorizations

Read More